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R^pdnse Due to IP&L : 12/21/2000 
*Main Idea 

1 . Describe ydur invention, stating the problem solved (rf appropriate), and indicating the advantages of 
using the invention. 

This invention deals with prevention of piracy in the context of digital content distribution. Consider an 
encryption scheme whereby a Center broadcasts a message to a group of users so that only a subset of 
the ueere should be able to obtain the content of the message. Such schemes are naturally used for 
distribution of copyright protected content (such as music and movies) or for subscription-based systems 
(e.g. pay TV and Web Casting). A common problem with such schemes is that keys of certain users may 
leak and further be used by pirate decoders, software clones and other illegal means, thereby violating 
ownership rights of the data. 

The invention provides a mechanism to combat the leakage of keys and their subsequent use by illegal 
decryption-boxes. Suppose that a pirate decryption-box contains the keys associated with at most t users 
u^, ... , u known as the "traitors". The goal of a tracing algorithm is to either 

1 . f!nd the Identities of those that contributed their keys to an illicit decryption box . or 

2. render the box useless by finding a "pattern* that does not al/ow decryption using the box. but still 
allows broadcasting to the legitimate users. 

When combined with an encryption scheme that is capable of revoking illegal users from future 
communications it yields a trace-and-revoke mechanism, which is a powerful tool to combat piracy. A 
tracing algorithm is evaluated based on (i) the number of Illegal keys it is able to trace (ii) the level of 
performance downgrade it imposes on the encryption scheme (iii) the number of queries needed to trace 
the box. 

The suggested scheme is a black-box tracing, i.e. one that does not take the decoder apart but by 
provkJIng it with an encrypted message and observing its output (the decrypted message) tries to figure 
out who leaked the keys. It assumes that messages are encrypted using a Subset-Cover encryption 
scheme which satisfies the bifurcation prop^ty. The precise nature of such encryption schemes is 
defined below; two prefen-ed embodiments for subset-cover revocation schemes having the bifurcation 
property are the Complete-Subtree method and the Subset-Difference method which are the subjects of 
Disclosjice-^TTT — ~ — 

Advantages of usi ng this invention are^ 

in order to tmuc t illcyul users, iffequires a message thai consists oittog N keys where N is the total 
number of users in the entire system. A further improvement requires a message length of only 5t 
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inventtons. A Subset-Cover encryption scheme works as follows (as it covers all privileged users by 
smaller subsets). 

• Each user u is initially assigned some secret information denote by \jj (typically, these are sets of 
keys). 

• The scheme defines a collection of subsets of users S S and their corresponding keys 

so that for any 1 ^ I ^ w a user u can compute k from l_u rf and only if it belongs to the subset S^. 

■ Given W and P, The set P is partitioned Into disjoint subsets S = S_l^ , SJ^ SJ^ so that every 

privileged user is in exactly one subset. M Is then encrypted with the keys corresponding to these 
subsets: 

This allows the users In P. and only them, to obtain M. 
Bifurcation property 

Our tracing mechanism requires that the Subset Cover algorithm satisly the bifurcation property. The 
bifurcation property implies that for any $ut)set S_i it is possible to partition S_i into two (or any constant) 
roughly equal sets and encrypt M using the two new sets instead of using SJ, i.e. there exist sets SJ 
and S i such that 

1. S l = S i U S i 

— — 1 — s 

2. the size of SJ^ is roughly the same as of SJ^ 

For a Subset Cover scheme, let the bJfurcation value be the relative size of the largest subset in such a 
split. 

The two preferred embodiments for a Subset-Cover revocation scheme, the Complete Subtree and the 
Subtree Difference methods, satisfy the bifurcation property. In the case of the Complete Subtree Method 
the bifurcation value is 1/2 and for the Subtree Difference Method, the bifurcation value is 2/3. 

Moreover, the Subtree Difference Method has an additional useful property: given any collection of r 
subsets SJ^ Sj^ , Ihe method can cover all users that are not in SJ^ SJ^ by at most 3r subsets. 

In the discussion that follows the encryption scheme Is viewed as a **box" that is capable of encrypting M 
when provided with either a specific partition S of all privileged users, or with the actual set P of privileged 
set of users. In the later, the partition that was used Is also output. See diagram below. 
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p . pnevilleged users s- SJl , S_i2 S_tm 




The Tracing Algorithm 

Let N be the total number of users in the syatem. Suppose that a pirate decryption-box contains the keys 

associated with at most l users u u known as the 'traitors". The invention is a subsets-based 

1 I 

tracing algorithm. It devises a sequence of queries that are given to the decoder whose result is either 

• a Subset of users consisting of the traitors, or 

• a partition of users into subsets that renders the box useless, I.e. given a message tt^t is encrypted 
wrth the given partition, the box decrypts the message with probability smaller than the threshold q 
whUa all good users can still decrypt. 

Naturally, the tracing algorithm is based on constructing a useful sequence of partitions which will finally 
allow the detection of a traitor's identity. 

An Important procedure in our tracing mechanism is one that given a partition S = SJ , SJ SJ and 

an illegal box outputs one of two possible outputs: either 

1 . The box cannot decrypt when the encryption is done with partition S. or 

2. Finds a subset Sj such that S i contains a traitor. 
Such a procedure Is called subset tracing. 



5= S_ii . S_i2, .... SJm 




not decrypting 



SJJ contains 
a traitor 



We explain our subset tracing procedure below. For now, let us assume that one exists, and we will now 
describe the general tracing algorithm, that uses the subset tracing procedure as a subroutine. The 
general algorithm maintains a partition S = 5 i , S i , S i . At each phase one of the subsets is 

partitioned, and the goal Is to partition a subset only If it contains a traitor. The initial partition is S ° (all 
users). A phase proceeds as follows: 
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At the beginning of the phase run the subset-tracing procedure with partition S = SJ^ , S_i^ SJ^. 

• If the procedure outputs that the box cannot decrypt with S then we are done. In the sense 
that we have found a way to disable the box without hurtir>g any legitimate user. 

• Otherwise, 

Let SJ be the set oulpul by the subset-tracing procedure, namely SJ^ contains the a traitor. 

• If SJ contains only one possible candidate - it must be a traitor. Permanenlly revoke 
this user from the set of privfleged users. 

• Otherwise, split SJ into two roughly equal subset and continue with the new 
partitioning. The existence of such a split is assured by the bifurcation property. 

The number of Iterations of the above can be at most t log N, where a is the inverse of the bifurcation 
value. 




The Sub^t Tracing Procedure: 

The Subset Tracing procedure first tests whether the box decodes a message that is legany encoded with 

the partition S = SJ^ , SJ^ SJ^ with sufficient probability, say p > 0.5. By "fegally encoded" we mean a 

normal message that would look exactly like norma) operation. If the box does not decode, then it 
concludes (and outputs) that the box can not decrypt with S . OthanA/ise, it needs to find a subset SJ^ that 
contains a traitor. 

Such a subset is found as foflows. Let p^ be the probability that the box decodes the ciphertexl 
where is a random string of the same length as the key K: i.e.. it Is a false key. That is, is the 
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probabBity of decoding when the first j subsets have false keys and the remaining subsets encode the 
correct key. If f p - p | > p/m then it must be that S_l contains a traitor. We note that at least one such j 
always exists. 

To efficiently find a subset that contains a traitor, employ the binary-search-like method described hereby 

that efficiently finds a pafa* of values p^ and p^^ amortg p^ p satisfying I P^^^ - > p/m. Starting with tfie 

entire Interval [O.m], the search is repeatedly narrowed down to an arbitrary interval [a.b]. At each stage. 

the middle value p is computed and tf^ interval Is further halved either to the left half or to the right 

half, depending on difference between p^^ and the endpoint values p^and of the interval. Observe that 

p is p and p is 0. Furthermore. In most practical cases, p is 1; in other words, the chne always decrypts 
p I 

during normal operation. The method fs outlined below; it outputs the index J. 
SubaetTraclng(a,b,p_a,p_b) 

If (a»b-1) 

return b 
Else 

Letc = ra+b/ 2l 

Compute p 

If Ip^-P.r^ I (P.-p,)/2! 

SubsetTracing(a,c,p^,p ) 

Else 

SubsetTracing(c,b,p ,p^) 



Efficiency: Subset tracing requires OOog m) evaluations of p^. An evalualion of p^ must be within an 
accuracy that reveals a difference of the order of f/m; namely, p^ needs to be estimated so the difference 
between its true value and its estimated value does not exceed 1/2m with assurance probability of 1-6. 
Also , the true value of p can be as small as of the order of 1/m. It follows from Chemoff bounds that m'log 
{Mc) clphertext queries to the decoding box are sufficient to estimate such p^ within the required accuracy. 
Hence, a 8ut>set tracing procedure that works with success probabQity of 8 log m requires rrflogm log (1/c 
) clphertext queries over the entire procedure. 

Subset Tracing with Noisy Binary Search: It is possible to improve the efficiency of the subset tracing 
procedure by viewing it as a noisy-binary search procedure. The noisy binary search assumes that at 
each step of the decision tree the correct decision Is obtained with probability 1-Q, where Q Is a value 
dose to 1/2, for example Q=1/3. In a model where each answer is correct with some fixed probabrlity (say 
greater than 2/3) that is Independent of history it is possible to perfomi binary search \nlogN + tog 1/Q 
queries where fog N Is the number levels in the search tree. Specifically for our case, can we assume that 
the computation of p at each step may yield a faulty value with probability Q. this yields that the number of 

the queries required over the entire procedure can be reduced to m^Oog m + log 1/Q) . 
Improving The Tracing Algorithm 

Among the tlog N subsets generated by the basic tracing algorithm, only / actually contain a traitor. The 
idea is to repeatedly merge those subsets which are not known to contain a traitor so as to reduce the 
number of subsets in the partition , For some encryption schemes it is possible to efficiently perform this 
merging, thus reduc in g the le ngth of the message req uired to trace Mraitors. For example, the preferred 
embodiment uses the SubsetTJifferei^ce-nlfeTOa"3riRe enciyption^chem and requires a message of 
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only 5f to trace f traitors (instead of i hgt^. 

Specifically, we maintain at each iteration a frontier of at most 2t subsets and merge the rest of {he 
subsets. In the following iteration a subset that contains a traitor is further partitioned; as a resuH, a new 
frontier is defined and the remaining subsets are re-grouped. 

Frontier subsets 

LetS = SJ ,S i , .... S i be the partition at the current Iteration, A pair of subsets S i and S i Is said 

13*'^ — II — jj 

to be in the frontier if SJ^ and SJ^ resulted from a split-up of a single subset at an earlier iteration. Also 
neither S_i^ nor SJ^ was singJed out by the subset tracing procedure so far. This definition implies that 
the frontier is composed of at most t disjoint pairs of buddy subsets. 

The improved tracing algoritlim proceeds In iterations. Every iteration starts with a partition S - SJ^ . SJ^, 
.... SJ^. Denote by F S S the frontier of S. An iteration consists of the following steps, by the end of 
which a new partition S' and a new frontier F' is defined. 

• As before, use the Subset Tracing procedure to find a subset S.i^ that contains a traitor, tf the 

tracing procedure outputs that the box can not decrypt with S then we are done. Otherwise, split 

S i into S' and , 
"I 

• Set F' = F U S' U (include S^ and S* in the new frontier). Furthermore, if SJ was in the 
frontier F and S_i was its buddy-subset in F then P = F' \ S_i (remove S_i from the new 
frontier). 

• Compute a cover C for all receivers that are not covered by F. Define the new partltron S' as the 
union of C and P. 

An encryption method that can construct a small cover C for the non-frontier sets in the third step can talte 
advantage of this fmprovement. 

Tracing Traitors from Many Boxes 

As new illegal decoding boxes, decoding clones and hacked keys are continuously being introduced 
during the lifetime of the system, a revocation strategy needs to be adopted in response. This revocation 
strategy is computed by first revoking the identities of all the receivers that need to be excluded, resulting 
in some partition S . 

To trace treitors from possibly more than one illegal decoder and make all of these boxes non-decoding, 
the tracing algorithm needs to be run In parallel on all boxes by providing alt boxes with the same input. 
The initial input is the partition that results from the set of all users that have not been revoked so far. 
As the algorithm proceeds, when the first box detects a traitor in one of the sets it re-partitions accordingly 
and the new partition Is now input to all boxes simultaneously. The output of this simultaneous algorithm is 
a partition (or "revocation strategy") that renders ail revoked receivers and illegal black boxes invalid. 



3. If the same advantage or prob/em has been identified by others (inside/outside IBIVI), how have those 
others solved it and does your solution differ and why is it belter? 
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